2007-2008 annual report to parliament - priv.gc.ca · 2007-2008 annual report on the access to...

2007-2008 ANNUAL rEPOrT TO PArLIAMENTon the Access to Information Act

Office of the Privacy Commissioner of Canada 112 Kent Street Ottawa, Ontario K1A 1H3

(613) 995-8210, 1-800-282-1376 Fax (613) 947-6850 TDD (613) 992-9190

This publication is also available on our Web site at www.privcom.gc.ca.

2007-2008 Annual Report on the Access to Information Act

Office of the Privacy Commissioner of Canada

Table of Contents

Introduction................................................................................................................................1 Mandate / Mission of the OPC...................................................................................................2 Organizational Structure ............................................................................................................3 ATIP Unit Activities ....................................................................................................................4 Access to Information Act Statistical Report and Interpretation.................................................6 Appendix A – Access to Information Act Delegation Order .......................................................8 Appendix B – Statistical Report on the Access to Information Act ..........................................11


Office of the Privacy Commissioner of Canada Page 1

Introduction The Access to Information Act (ATIA) came into effect on July 1, 1983. It provides Canadian citizens, permanent residents and any person and corporation present in Canada a right of access to information contained in government records, subject to certain specific and limited exceptions. Section 72 of the ATIA requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act within their institutions during the fiscal year. When the Federal Accountability Act received Royal Assent on December 12, 2006, the Office of the Privacy Commissioner (OPC) along with other Agents of Parliament were added to Schedule I of the ATIA. So, while not initially subject to the ATIA, the OPC became so on April 1, 2007. While this change has been—and continues to be—a learning experience for the OPC as a whole, we are fully supportive of greater transparency and accountability on the part of government and its institutions. In fact, shortly after taking office in 2003, the Privacy Commissioner publicly stated that although not yet subject to the ATIA, the OPC would act as though it were. So, in the spirit of the ATIA and using it as a guide, we began processing requests for access to OPC information well before April 1, 2007. Due to the nature of the work that we do and the information that we hold (e.g. through audits, investigations, research, etc.), we expected that once formally subject to the ATIA, we would receive a large number of requests but—as our statistics show—that has not been the case. While perhaps somewhat surprising, the situation nevertheless afforded us the opportunity to build the administrative side of the ATIP Unit, create ATIP policies and procedures, and ensure that the ATIP Unit staff had all of the training they required. The OPC is pleased to submit our first Annual Report which describes how we fulfilled our responsibilities under the ATIA during the fiscal year 2007-2008.



Mandate / Mission of the OPC The OPC is mandated to oversee compliance with the Privacy Act, which covers the personal information handling practices of federal government departments and agencies, and with the Personal Information Protection and Electronic Documents Act (PIPEDA) which is Canada’s private sector privacy law. Our mission is to protect and promote the privacy rights of individuals by, among other things: Investigating complaints and incidents under the Privacy Act and PIPEDA concerning the

handling of personal information;

Issuing reports to federal government institutions and private sector organizations which may contain recommendations designed to assist them in remedying situations and preventing errors in handling personal information;

Assessing compliance with Privacy Act and PIPEDA obligations through audit and review activities, and publicly reports on findings;

Reviewing and advising on Privacy Impact Assessments (PIAs) that deal with new or existing government initiatives;

Providing legal and policy expertise to help guide Parliament’s review of evolving legislation in order to ensure respect for individuals’ right to privacy;

Assisting Parliamentarians, individuals and organizations who are seeking information and guidance with respect to personal information handling practices;

Promoting public awareness and compliance with the two Acts and fostering understanding of privacy rights and obligations;

Monitoring trends in privacy practices, identifying systemic privacy issues to be addressed by federal government institutions and private sector organizations and promoting integration of best practices; and

Working closely with privacy stakeholders from other Canadian and international jurisdictions in order to address global privacy issues arising from ever-increasing trans-border data flows.

The OPC’s focus is on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In some unresolved cases, the Commissioner may take the matter to Federal Court.



Organizational Structure The Privacy Commissioner is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is assisted by two Assistant Privacy Commissioners, one responsible for the Privacy Act and the other responsible for PIPEDA. The OPC is comprised of seven distinct branches: Research, Education and Outreach; Communications; Audit and Review; Legal Services and Policy; Human Resources; Corporate Services, and; Investigations and Inquiries.

The Access to Information and Privacy (ATIP) Unit falls under the Corporate Services Branch. ATIP is headed by a Director who is supported by one Senior Analyst. This fiscal year, the ATIP Unit also used the services of an experienced ATIP analyst on a part time contract basis. Under section 73 of the ATIA the Privacy Commissioner, as the head of the OPC, delegated her authority to the Director General of Corporate Services and to the ATIP Director with respect to the application of the ATIA and its Regulations. A copy of that Delegation Order is attached as Appendix A.



ATIP Unit Activities Although the OPC was not subject to the ATIA until April 1, 2007, the ATIP Unit was staffed in February 2007 in order to begin the process of setting up the Unit and to handle nine formal requests that the OPC had already received. Among other things, those requests sought access to information concerning OPC research Contribution Agreements, expense information related to the External Advisory Committee, hospitality and travel claims, and responses that the OPC had received to its July 2006 PIPEDA Review discussion document. Over 6,000 pages of information were reviewed with respect to those requests with the vast majority of the information being fully disclosed. The information not provided consisted largely of personal information about other individuals. Given that the OPC was newly subject to ATIP responsibilities, the early focus was on administrative work that needed to be done. One of the first requirements was to ensure that information about the OPC was provided to the Treasury Board Secretariat. In early May 2007 all of the OPC’s Sources of Federal Employee Information – Standard Personal Information Banks (PIBs) and Sources of Federal Government Information – Standard Banks were registered with the Secretariat. The Secretariat was also provided initial information about the OPC to be included in Info Source such as background information, the OPC’s responsibilities, descriptions of and contacts for each OPC Branch, and the location of the OPC reading room. A review of all of the OPC’s record holdings was then undertaken to ensure that all non-standard bank information would be included in the next edition of Info Source. While preparing formal Access to Information Act training for OPC employees, in the interim, the ATIP Unit prepared a “Preliminary Guideline for Processing Requests Pursuant to the Access to Information Act” which was distributed to each branch head in June 2007 and which was published on the Intranet as a reference guide with respect to employees’ roles and responsibilities in the OPC’s new “Atipable” environment. The ATIP Unit has since written an “Access to Information Process and Compliance Manual” which is available to all staff on the OPC Intranet site and to the public on the OPC website. This manual describes all of the steps taken by the ATIP Unit in the processing of requests under both the ATIA and the Privacy Act. It provides extensive information on a wide variety of subjects, e.g. responsibilities of employees in their retrieval of the information, the legislative time constraints, exemptions and exclusions, the complaint and investigation process, etc. It also contains the ATIP policy with respect to fees and fee waivers. Four ATIA Awareness Sessions were given to OPC employees in June 2007 followed by two sessions in March 2008. In all some 125 employees received the training—the vast majority of staff. The Privacy Commissioner directed that this training be mandatory for all staff, including those working with the OPC on contract or on a temporary basis. Sessions will be given at least once a year in order to ensure that new staff receive the training as well. The ATIP Director sits on the OPC’s Policy Development Committee and has played a collaborative role in the planning, development and updating of OPC policies, procedures and directives in order to ensure that the ATIA is respected. The ATIP Director has also recently



drafted a “Directive Concerning Section 67.1 of the Access to Information Act” which—as of the writing of this report—has been presented to the Committee for first review. In 2007 the Information and Privacy Policy Division of the Chief Information Officer Branch within the Treasury Board Secretariat began the process of renewing the Access to Information and Privacy policies and guidelines. The OPC’s ATIP Unit is part of the Secretariat’s Policy Renewal Working Group and, as such, participated in a number of meetings during the fiscal year. Throughout the year the ATIP Unit has been active in providing advice to all OPC staff with respect to informal requests for access to information. The ATIP Unit has also supported the Information Management function by providing input concerning proper information handling practices and has been involved in discussions with Library and Archives Canada personnel concerning retention schedules for OPC records and information. Concurrently, the OPC’s ATIP Senior Analyst assisted another federal government institution by sitting on several competition boards for the recruitment of ATIP analysts. Finally, the OPC has included a section on its website entitled “Access to Information and Privacy” which provides the public with information about the ATIA, including how to request access to information that is under the control of the OPC.



Access to Information Act Statistical Report and Interpretation The OPC’s statistical Report on the Access to Information Act is attached at Appendix B. The OPC received 44 formal requests under the ATIA during the fiscal year. Of those, 14 sought access to records which were not under the control of the OPC and they were therefore transferred to Citizenship and Immigration Canada, the RCMP, the Canada Revenue Agency, the Department of National Defence and Correctional Service Canada for processing. Of the 30 requests for records under the OPC’s control, the ATIP Unit had responded to 29 by the end of the fiscal year—only one has been carried forward. While the OPC did not receive as many requests as anticipated, the 29 completed requests constituted 9,696 pages of information. All were completed within the statutory time limits. Section 16.1 of the ATIA was added to the ATIA as a result of the Federal Accountability Act. This provision requires that the OPC protect the information that we obtained during the course of our investigations or audits even once the matter and all related proceedings have been concluded.

Of the 29 requests completed during the fiscal year, six were for the contents of Privacy Act or PIPEDA investigation files. In two instances all of the information was withheld—one as the applicant was seeking a third party contract that the OPC had obtained from a respondent during the course of a PIPEDA investigation, and the other as the investigation was an active one. In the remaining cases, the information in the files was processed because the investigations were concluded and all appeal mechanisms had been exhausted.

Of the 44 requests received, six were submitted by media (13.636%), two by academia (4.545%), 18 by businesses (40.909%), and 18 by the public (40.909%).

Requests Received

The exemption provision invoked most often was section 19(1) concerning the personal information of others, followed closely by section 16.1 with respect to information the OPC

13.64%4.55%40.91%

40.91%

MediaAcademiaBusinessesPublic



received or created during the course of an investigation and section 23 with respect to solicitor-client information. The OPC received notice of five complaints that were submitted to the Information Commissioner—four of which were from one individual. Three of the complaints alleged denial of access, while two alleged a violation of the statutory time limit. The Information Commissioner concluded that two of the access complaints were “not substantiated” while the third was “resolved”. As for the delay complaints, the Information Commissioner concluded that one was “not substantiated”—the second is outstanding. As of the writing of this report, no applications have been submitted to the Federal Court following the Information Commissioner’s findings. In addition to processing its own ATIA requests, the OPC was consulted seven times by five government institutions with respect to eight documents. In each case, the OPC had no objection to the full disclosure of the documents. With respect to fees, we collected the mandatory $5.00 application fee from all but two individuals. In one case, the individual had submitted two requests, one for each of our investigation files concerning her PIPEDA complaints. As the investigation files were so closely intertwined and contained many of the same records, the OPC waived the application fee with respect to the second request. In the other instance, the application fee was waived because of the specific nature of the information being requested. None of the requests required the assessment of search, preparation or computer processing time. As for reproduction costs, federal government institutions generally waive reproduction costs for the first 125 pages of records—this amounts to $25.00. Given that this was our first year of operating under the ATIA, the OPC did not charge any of its requesters for providing copies of the documents they were seeking. Of the 20 requests to which we responded with copies, 12 of those were over 125 pages. The ATIP Unit has prepared a fee waiver policy which took effect April 1, 2008 and which is included in the “Access to Information Process and Compliance Manual”. The policy outlines the fees chargeable under the ATIA, states that the decision to waive, reduce or refund fees will be made on a case-by-case basis, and outlines the circumstances under which certain fees may be waived. For additional information on the OPC’s activities, please visit www.privcom.gc.ca. Additional copies of this report may be obtained from: Director, Access to Information and Privacy Office of the Privacy Commissioner of Canada 112 Kent Street Ottawa, ON K1A 1H3



Appendix A – Access to Information Act Delegation Order



Access to Information Act 7(a) Respond to request for access within 30 days; give access or give notice

8(1) Transfer of Request to government institution with greater interest

9 Extend time limit for responding to request for access

11(2), (3), (4), (5), (6) Additional fees

12(2)(b) Decide whether to translate requested record

12(3) Decide whether to give access in an alternative format

13(1) Shall refuse to disclose information obtained in confidence from another government

13(2) May disclose any information referred to in 13(1) if the other government consents to the disclosure or makes the information public

14 May refuse to disclose information injurious to the conduct of federal-provincial affairs

15 May refuse to disclose information injurious to international affairs or defence 16 Series of discretionary exemptions related to law enforcement and investigations;

security; and policing services for provinces or municipalities. 16.1(1) In force April 1, 2007 - Specific to four named Officers of Parliament - Auditor

General, Commissioner of Official Languages, Information Commissioner and Privacy Commissioner - shall refuse to disclose information obtained or created by them in the course of an investigation or audit

16.1(2) In force April 1, 2007 - Specific to two named Officers of Parliament – Information and Privacy Commissioner - shall not refuse under 16.1(1) to disclose any information created by the Commissioner in the course of an investigation or audit once the investigation or audit and related proceedings are concluded

17 May refuse to disclose information which could threaten the safety of individuals

18 May refuse to disclose information related to economic interests of Canada

18.1(1) (Not yet in force) May refuse to disclose confidential commercial information of Canada Post Corporation, Export Development Canada, Public Sector Pension Investment Board, or VIA Rail Inc.

18.1(2) (Not yet in force) Shall not refuse under 18.1(1) to disclose information relating to general administration of the institution

19 Shall refuse to disclose personal information as defined in section 3 of the Privacy Act, but may disclose if individual consents, if information is publicly available, or disclosure is in accordance with section 8 of Privacy Act



20 Shall refuse to disclose third party information, subject to exceptions

21 May refuse to disclose records containing advice or recommendations

22 May refuse to disclose information relating to testing or auditing procedures

22.1 (Not yet in force) May refuse to disclose draft report of an internal audit

23 May refuse to disclose information subject to solicitor/client privilege

24 Shall refuse to disclose information where statutory prohibition (Schedule II)

25 Shall disclose any part of record that can reasonably be severed

26 May refuse to disclose where information to be published

27(1),(4) Third party notification

28(1),(2),(4) Receive representations of third party

29(1) Disclosure on recommendation of Information Commissioner

33 Advise Information Commissioner of third party involvement

35(2) Right to make representations to the Information Commissioner during an investigation

37(1) Receive Information Commissioner’s report of findings of the investigation and give notice of action taken

37(4) Give complainant access to information after 37(1)(b) notice

43(1) Notice to third party (application to Federal court for review)

44(2) Notice to applicant (application to federal Court by third party)

52(2)(b) Request that section 52 hearing be held in the National Capital Region

52(3) Request and be given right to make representations in section 51 hearings

71(2) Exempt information may be severed from manuals

72(1) Prepare annual report to Parliament

Access to Information Regulations 6(1) Procedures relating to transfer of access request to another government

institution under 8(1) of the Act 8 Form of Access



Appendix B – Statistical Report on the Access to Information Act REPORT ON THE ACCESS TO INFORMATION ACT

RAPPORT CONCERNANT LA LOI SUR L'ACCÈS À L'INFORMATON Institution Office of the Privacy Commissioner of Canada

Reporting period / Période visée par le rapport April 1, 2007 to March 31, 2008

Source Media / Médias 6

Academia / Secteur universitatire 2

Business / Secteur commercial 18

Organization / Organisme

Public 18

I Requests under the Access to Information Act / Demandes en vertu de la Loi sur l'accès à l'information II Dispositon of requests completed /

Disposition à l'égard des demandes traitées Received during reporting period / Reçues pendant la période visée par le rapport 44 1. All disclosed / Communication totale 5 6. Unable to process / Traitement impossible 4

Outstanding from previous period / En suspens depuis la période antérieure 2. Disclosed in part / Communication

partielle 15 7. Abandoned by applicant / Abandon de la demande 2

TOTAL 44 3. Nothing disclosed (excluded) / Aucune communication (exclusion) n/a 8. Treated informally / Traitement non officiel

Completed during reporting period / Traitées pendant la période visées par le rapport 43 4. Nothing disclosed (exempt) /

Aucune communication (exemption) 3

Carried forward / Reportées 1 5. Transferred / Transmission 14 TOTAL 43

III Exemptions invoked / Exceptions invoquées

S. Art. 13(1)(a) S.

Art 16(1)(a) S. Art. 18(b) S.

Art. 21(1)(a) 3

(b) (b) (c) (b) 2

(c) 1 (c) (d) (c)

(d) (d) S. Art. 19(1) 10 (d)

S. Art. 14 S.

Art. 16(2) 1 S. Art. 20(1)(a) S.

Art.22 2

S. 15(1) International rel. / Art. Relations interm. S.

Art. 16(3) (b) S. Art 23 8

Defence / Défense S.

Art. 17 (c) S. Art. 24

Subversive activities / Activités subversives S.

Art. 18(a) 2 (d) S. Art 26

IV Exclusions cited /Exclusions citées V Completion time /Délai de traitement S. / Art. 68(a) S. / Art. 69(1)(c) 30 days or under / 30 jours ou moins 40

(b) (d) 31 to 60 days / De 31 à 60 jours 1

(c) (e) 61 to 120 days /De 61 à 120 jours 2

S. / Art. 69(1)(a) (f) 121 days or over / 121 jours ou plus

(b) (g) 1

VI Extensions /Prorogations des délais VII Translations /Traduction VIII Method of access /Méthode de consultation

30 days or under / 30 jours ou moins

31 days or over / 31 jours ou plus Translations requested /

Traductions demandées Copies given / Copies de l'original 20

Searching / Recherche 1 Translations

prepared / English to French / De l'anglais au français Examination /

Examen de l'original

Consultation 2 Traductions préparées

French to English / Du français à l'anglais Copies and examination /

Copies et examen

Third party / Tiers

TOTAL 1 2

IX Fees /Frais X Costs / Coûts

Net fees collected / Frais net perçus Financial (all reasons) /

Financiers (raisons)

Application fees / Frais de la demande $140.00 Preparation /

Préparation Salary / Traitement $ 64,966.28

Reproduction Computer processing / Traitement informatique Administration (O and M) /

Administration (fonctionnement et maintien) $ 36,792.03

Searching / Recherche TOTAL $140.00 TOTAL $ 101,758.31

Fees waived / Dispense de frais

No. of times / Nombre de fois $ Person year utilization (all reasons) /

Années-personnes utilisées (raison)

$25.00 or under / 25 $ ou moins 11 $84.80 Person year (decimal format) /

Années-personnes (nombre décimal) .9715

Over $25.00 /De plus de 25 $ 12 $993.00

TBS/SCT 350-62 (Rev. 1999/03)

Governmentof Canada

Gouvernementdu Canada



Discrepancies

Source of requests

OPC included in the source the transferred requests.

III – Exemptions invoked

Section 16.1 was invoked on 9 requests.

IX – Fees

OPC waived the $5.00 application fee in two instances.

In one case, the individual had submitted two requests, one for each of our investigation files on her complaints. As the investigation files were so closely intertwined and contained many of the same records, the OPC waived the application fee with respect to the second request.

In another instance an application fee was waived because of the specific nature of the information requested.

X – Costs

All operating and maintenance costs are borne by other OPC Branches, eg: Human Resources (training), Information Technology (computers, printouts, etc.), Corporate Services (supplies, mailing, etc.).

Other

The OPC received and responded to 7 consultations from other government institutions.

Supplemental Reporting Requirements for 2007-2008 Access to Information Act In addition to the reporting requirements addressed in form TBS/SCT 350-62 "Report on the Access to Information Act", institutions are required to report on the following using this form: Part III – Exemptions invoked Section 13 Subsection 13(e) N/A Section 14 Subsections 14(a) N/A 14(b) N/A Part IV – Exclusions cited: Subsection 69.1 1

2007-2008 ANNUAL rEPOrT TO PArLIAMENTon the Privacy Act

Office of the Privacy Commissioner of Canada 112 Kent Street Ottawa, Ontario K1A 1H3

(613) 995-8210, 1-800-282-1376 Fax (613) 947-6850 TDD (613) 992-9190

This publication is also available on our Web site at www.privcom.gc.ca.

2007-2008 Annual Report on the Privacy Act

Office of the Privacy Commissioner of Canada

Table of Contents

Introduction................................................................................................................................1 Mandate / Mission of the OPC...................................................................................................2 Organizational Structure ............................................................................................................3 Privacy Commissioner, ad hoc / Complaint Mechanism............................................................4 ATIP Unit Activities ....................................................................................................................5 Privacy Act Statistical Report and Interpretation .......................................................................6 Report on the Privacy Impact Assessment (PIA) Policy ............................................................7 Disclosures of Personal Information ..........................................................................................7 Privacy-Related Policies ............................................................................................................7 Appendix A – Privacy Act Delegation Order ..............................................................................8 Appendix B – Statistical Report on the Privacy Act .................................................................11



Introduction The Privacy Act took effect on July 1, 1983. This Act imposes obligations on federal government departments and agencies to respect the privacy rights of individuals by limiting the collection, use and disclosure of personal information. The Act also gives individuals the right of access to their personal information and the right to request the correction of that information. Section 72 of the Act requires that the head of every federal government institution submit an annual report to Parliament on the administration of the Act within their institutions during the fiscal year. When the Federal Accountability Act received Royal Assent on December 12, 2006, the Office of the Privacy Commissioner (OPC) along with other Agents of Parliament were added to the Schedule of the Privacy Act. So, while not initially subject to the Act, the OPC became so on April 1, 2007. While this change has been—and continues to be—a learning experience for the OPC as a whole, we are fully supportive of greater transparency and accountability on the part of government and its institutions. In fact, shortly after taking office in 2003, the Privacy Commissioner maintained that although not yet subject to the Privacy Act, the OPC would conduct itself as though it were. We did not receive any requests from individuals for access to their personal information prior to April 1, 2007 but we did receive a number of requests for other information which we processed using the Access to Information Act as a guide. Due to the nature of the work we do—and as our investigation files contain extensive personal information—we expected that once formally subject to the Privacy Act, we would receive a large number of requests for the contents of those files. However, as our statistics show, that has not been the case. While perhaps somewhat surprising, the situation nevertheless afforded us the opportunity to build the administrative side of the ATIP Unit, create ATIP policies and procedures, and ensure that the ATIP Unit staff had all of the training they required. For the past 25 years the OPC has been overseeing federal government institutions’ compliance with the Privacy Act and, in doing so, we have at times been quite critical of their personal information management practices. With the passing of the Federal Accountability Act we now find ourselves on the ‘other side of the fence’. Admittedly, it is sometimes difficult to look inwards but, in this case, we wholeheartedly welcome our complete and formal inclusion into the Privacy Act family. Not only are we committed to fulfilling the mandate given the OPC under the Act, we are wholly committed to ensuring that we fully adhere to the Act with respect to the proper handling of the personal information which is under our control. The OPC is therefore pleased to submit our first Annual Report which describes how we fulfilled our responsibilities under the Privacy Act during the fiscal year 2007-2008.



Mandate / Mission of the OPC The OPC is mandated to oversee compliance with the Privacy Act, which covers the personal information handling practices of federal government departments and agencies, and with the Personal Information Protection and Electronic Documents Act (PIPEDA) which is Canada’s private sector privacy law. Our mission is to protect and promote the privacy rights of individuals by, among other things: Investigating complaints and incidents under the Privacy Act and PIPEDA concerning the

handling of personal information;

Issuing reports to federal government institutions and private sector organizations which may contain recommendations designed to assist them in remedying situations and preventing errors in handling personal information;

Assessing compliance with Privacy Act and PIPEDA obligations through audit and review activities, and publicly reports on findings;

Reviewing and advising on Privacy Impact Assessments (PIAs) that deal with new or existing government initiatives;

Providing legal and policy expertise to help guide Parliament’s review of evolving legislation in order to ensure respect for individuals’ right to privacy;

Assisting Parliamentarians, individuals and organizations who are seeking information and guidance with respect to personal information handling practices;

Promoting public awareness and compliance with the two Acts and fostering understanding of privacy rights and obligations;

Monitoring trends in privacy practices, identifying systemic privacy issues to be addressed by federal government institutions and private sector organizations and promoting integration of best practices; and

Working closely with privacy stakeholders from other Canadian and international jurisdictions in order to address global privacy issues arising from ever-increasing trans-border data flows.

The OPC’s focus is on resolving complaints through negotiation and persuasion, using mediation and conciliation if appropriate. However, if voluntary co-operation is not forthcoming, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence. In some unresolved cases, the Commissioner may take the matter to Federal Court.



Organizational Structure The Privacy Commissioner is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is assisted by two Assistant Privacy Commissioners, one responsible for the Privacy Act and the other responsible for PIPEDA. The OPC is comprised of seven distinct branches: Research, Education and Outreach; Communications; Audit and Review; Legal Services and Policy; Human Resources; Corporate Services, and; Investigations and Inquiries. The Access to Information and Privacy (ATIP) Unit falls under the Corporate Services Branch. The ATIP Unit is headed by a Director who is supported by one Senior Analyst. This fiscal year, the ATIP Unit also used the services of an experienced ATIP analyst on a part time contract basis. Under section 73 of the Privacy Act the Privacy Commissioner, as the head of the OPC, has delegated the majority of her authority to the Director General of Corporate Services and to the ATIP Director with respect to the application of the Act and its Regulations. Due to the seriousness of public interest disclosures under section 8(2)(m) of the Act, the Commissioner has not delegated those decisions. A copy of the Delegation Order is attached as Appendix A.

PARLIAMENT

PrivacyCommissioner

of Canada

AssistantCommissioner

PIPEDA

AssistantCommissioner

Privacy Act

Director General

Audit and Review

General Counsel

Legal Services, Policy and

Parliamentary Affairs

DirectorHuman

Resources

Director General

Investigations and Inquiries

DirectorResearch

Education and Outreach

DirectorCommuni-

cations

Director General

Corporate Services



Privacy Commissioner, ad hoc / Complaint Mechanism When the Federal Accountability Act received Royal Assent on December 12, 2006, it did not contain a mechanism under which Privacy Act complaints against the OPC would be investigated. Clearly, it is entirely inappropriate that the OPC investigate its own actions with respect to its administration of the Privacy Act. Indeed, the issue was raised in the Department of Justice Discussion Paper on Strengthening the Access to Information Act which was released on April 11, 2006. The Paper encouraged the House of Commons Committee on Access to Information, Privacy and Ethics to offer suggestions on an appropriate design of a mechanism, the appointment process and the qualifications of the selected individual. On May 30, 2006 the Privacy Commissioner appeared before the House of Commons Legislative Committee and said:

Finally, I bring to your attention what I see as a serious omission in Bill C-2: the absence of a mechanism to investigate access or privacy complaints against the Information and Privacy Commissioners. I would hope that the provisions in Bill C-2 making the two Commissioners subject to both Acts will not come into force until an alternative complaint investigation process is properly established to deal with these new types of situations.

The Commissioner then appeared before the Standing Committee on Legal and Constitutional Affairs on September 21, 2006 during which she voiced her expectation that changes to the Privacy Act should not come into force until an appropriate mechanism was in place. This was reiterated in her written Submission to the Committee. In its October 26, 2006 Report to the House on C-2, the Senate Committee endorsed the Privacy Commissioner’s view and stated, “We join with the Privacy Commissioner in urging the Government to delay the entry into force of these measures until an appropriate mechanism to address this situation is identified and in place.” We fully expected that our concern would be addressed by the government, but the Federal Accountability Act remains silent. After a year, we find ourselves in the extremely difficult position of having to create and maintain our own mechanism, one which hopefully gives individuals confidence that investigations against the OPC are being conducted independently of the OPC. This is difficult to say the least, given that the OPC ultimately decides who will be the Privacy Commissioner, ad hoc and since the OPC is absorbing all of the costs associated with the process. In September 2007 the Honorable Peter de C. Cory accepted to be engaged as Privacy Commissioner, ad hoc to receive and investigate complaints concerning the OPC pursuant to section 29 of the Privacy Act. The Privacy Commissioner delegated the majority of her powers, duties and functions as set out in sections 29 through 35 and section 42 of the Act to Mr. Cory in order that he could carry out his investigations. Mr. Cory also accepted to be engaged as Information Commissioner ad hoc so as to investigate ATIA complaints filed concerning the Office of the Information Commissioner (OIC). It was quickly recognized that it would be inappropriate for the investigator conducting Privacy Act investigations against the OPC to work within the offices of the OPC—a view shared by the OIC



with respect to the investigator conducting ATIA complaints against that Office. Therefore, the OPC and the OIC entered into an agreement whereby we would each provide secured office space for the other’s investigator along with locked cabinets, stand-alone computers, etc. Mr. Cory’s services are no longer available to us. The OPC has therefore engaged the Honourable Andrew W. MacKay, former Judge of the Federal Court. His biography may be found at http://cas-ncr-nter03.cas-satj.gc.ca/portal/page/portal/fc_cf_en/MacKay.

ATIP Unit Activities Although the OPC was not subject to the Privacy Act until April 1, 2007, the ATIP Unit was staffed in February 2007 in order to begin the process of setting up the Unit and to handle a number of informal requests that the OPC had already received under the Access to Information Act. Given that the OPC was newly subject to ATIP responsibilities, the early focus was on administrative work that needed to be done. One of the first requirements was to ensure that information about the OPC was provided to the Treasury Board Secretariat. In early May 2007 all of the OPC’s Sources of Federal Employee Information – Standard Personal Information Banks (PIBs) and Sources of Federal Government Information – Standard Banks were registered with the Secretariat. The Secretariat was also provided initial information about the OPC to be included in Info Source such as background information, the OPC’s responsibilities, descriptions of and contacts for each OPC Branch, and the location of the OPC reading room. A review of all of the OPC’s record holdings was then undertaken to ensure that all non-standard bank information would be included in the next edition of Info Source. The ATIP Unit has written an “Access to Information Process and Compliance Manual” which is available to all staff on the OPC Intranet site and to the public on the OPC website as well. This manual describes all of the steps taken by the ATIP Unit in receiving and responding to requests under both the Access to Information Act (ATIA) and the Privacy Act. It provides extensive information for staff on a wide variety of subjects including responsibilities of staff to retrieve information, legislative time constraints, exemptions and exclusions, the complaint and investigation process. The manual also provides extensive information concerning the proper collection, retention, use, disclosure and disposition of personal information. No specific Privacy Act training has been given to staff to date although we certainly intend to do so soon. However, it is important to note that the vast majority of OPC staff are already extremely sensitized to privacy issues and the requirements of government institutions covered by the Privacy Act concerning the protection of personal information given the nature of our work. In assessing training needs in our new “Atipable” environment, we quickly realized that most OPC employees were not as fully informed as to their ATIA responsibilities; therefore, priority training was given with respect to the ATIA. While preparing specific Privacy Act training, in the meantime the OPC’s “Access to Information Process and Compliance Manual” provides clear guidance as to the proper handling of personal information. The ATIP Director sits on the OPC’s Policy Development Committee and has taken a collaborative role in the planning, development and updating of OPC policies, procedures and directives in order to ensure that the Privacy Act is respected. In 2007 the Information and Privacy Policy Division of the Chief Information Officer Branch within the Treasury Board Secretariat began the process of renewing the Access to Information and



Privacy policies and guidelines. The OPC’s ATIP Director is part of the Secretariat’s Policy Renewal Working Group and, as such, participated in a number of meetings during the fiscal year. Throughout the year the ATIP Unit has been active in providing advice to all OPC staff with respect to personal information handling practices. The ATIP Unit has also supported the Information Management function by providing input concerning proper information handling practices and has been involved in discussions with Library and Archives Canada personnel concerning retention schedules for OPC records and information. Concurrently, the OPC’s ATIP Senior Analyst assisted another federal government institution by sitting on several competition boards for the recruitment of ATIP analysts. Finally, the OPC has included a section on its website entitled “Access to Information and Privacy” which provides the public with information about the Privacy Act, including how to request access to information that is under the control of the OPC.

Privacy Act Statistical Report and Interpretation The OPC’s statistical Report on the Privacy Act is attached at Appendix B. The OPC received 45 formal requests under the Privacy Act for the fiscal year. Of those, 23 sought access to personal information under the control of other government institutions and therefore—with the consent of the requesters—they were re-directed to those institutions for processing (Citizenship and Immigration; the RCMP; the Canada Revenue Agency; National Defence; Correctional Service Canada; the Canada Post Corporation; Canadian Heritage; Service Canada; and the Canadian Firearms Centre). Of the 22 requests for personal information under the OPC’s control, the ATIP Unit had responded to all of them by the end of the reporting year. While the OPC did not receive as many requests as anticipated, the 22 requests constituted 4,451 pages of information. No time extensions were taken and all were completed within the statutory time limits. Section 22.1 of the Privacy Act was added to the Act as a result of the Federal Accountability Act. This provision requires that the OPC protect the information that we obtained during the course of our investigations or audits even once the matter and all related proceedings have been concluded. Of the 22 Privacy Act requests completed, 10 were for the contents of Privacy Act or PIPEDA investigation files. In two of those instances all of the information was withheld as one case was before the Court, and as all appeal mechanisms with respect to the other had not yet been exhausted. In the remaining cases our investigations and all related proceedings were closed. So, the information in those files was processed and released to the requesters subject to applicable exemptions. Of the 22 requests received for access to OPC information, one (1) was submitted by a lawyer while the remainder were submitted by individuals. The exemption provision invoked most often was section 22.1 with respect to information the OPC received or created during the course of an investigation, followed closely by section 26 concerning the personal information of other individuals.



The OPC received notice of two complaints of denial of access made to the Privacy Commissioner ad hoc, both of which were filed by one individual. While the Privacy Commissioner ad hoc has concluded that both complaints are “not well-founded”, they are not included in our statistical report. The findings were rendered on April 2, 2008 and therefore will be included in our report for fiscal year 2008-2009.

As of the writing of this report, no applications have been submitted to the Federal Court following the Privacy Commissioner ad hoc’s findings.

In addition to processing its own Privacy Act requests, the OPC was also consulted three times by two government institutions with respect to eleven 11 documents. In each case, the OPC had no objection to the disclosure of the information they contained.

Report on the Privacy Impact Assessment (PIA) Policy The Privacy Impact Assessment Policy which came into effect on May 2, 2002, requires that the Treasury Board Secretariat monitor compliance with the Policy. Given this responsibility, institutions are asked to include pertinent statistics in their annual reports on the administration of the Privacy Act. The OPC has not conducted any PIAs during this reporting fiscal year. It is anticipated, however, that one will be conducted with respect to the Office’s new Case Management system. The requirements of this system are presently being defined.

Disclosures of Personal Information The OPC disclosed no personal information under sections 8(2)(e), (f), (g) or (m) of the Privacy Act during this fiscal year.

Privacy-Related Policies The ATIP Director is a member of the OPC’s Policy Development Committee. In that role, policies, directives and guidelines have been and continue to be reviewed to ensure that the Privacy Act is respected. The ATIP Unit drafted the OPC’s Employee Privacy Policy which has been finalized and approved by senior management. The Unit has also drafted a Corporate Privacy Policy and a Privacy Breach Policy. It is expected that all of these will be in place during the 2008-2009 reporting fiscal year. For additional information on the OPC’s activities, please visit www.privcom.gc.ca Additional copies of this report may be obtained from: Director, Access to Information and Privacy Office of the Privacy Commissioner of Canada 112 Kent Street Ottawa, ON K1A 1H3



Appendix A – Privacy Act Delegation Order



Privacy Act 8(2)(j) Disclose personal information for research purposes 8(2)(m) Disclose personal information in the public interest or in the interest of the individual 8(4) Retain copy of 8(2)(e) requests and disclosed records 8(5) Notify Privacy Commissioner of 8(2)(m) disclosures 9(1) Retain record of use 9(4) Notify Privacy Commissioner of consistent use and amend index 10 Include personal information in personal information banks 14 Respond to request for access within 30 days; give access or give notice 15 Extend time limit for responding to request for access 17(2)(b) Decide whether to translate requested information 17(3)(b) Decide whether to give access in an alternative format 18(2) May refuse to disclose information contained in an exempt bank 19(1) Shall refuse to disclose information obtained in confidence from another government 19(2) May disclose any information referred to in 19(1) if the other government consents to

the disclosure or makes the information public 20 May refuse to disclose information injurious to the conduct of federal-provincial

affairs 21 May refuse to disclose information injurious to international affairs or defence 22 Series of discretionary exemptions related to law enforcement and investigations;

and policing services for provinces or municipalities. 22.1(1) In force April 1, 2007 - Privacy Commissioner shall refuse to disclose information

obtained or created in the course of an investigation conducted by the Commissioner

22.1(2) In force April 1, 2007 - Privacy Commissioner shall not refuse under 22.1(1) to disclose any information created by the Commissioner in the course of an investigation conducted by the Commissioner once the investigation and related proceedings are concluded

23 May refuse to disclose information prepared by an investigative body for security

clearances



24 May refuse to disclose information collected by the Correctional Service of Canada or the National Parole Board while individual was under sentence if conditions in section are met

25 May refuse to disclose information which could threaten the safety of individuals 26 May refuse to disclose information about another individual, and shall refuse to

disclose such information where disclosure is prohibited under section 8 27 May refuse to disclose information subject to solicitor-client privilege 28 May refuse to disclose information relating to the individual’s physical or mental

health where disclosure is contrary to best interests of the individual 31 Receive notice of investigation by Privacy Commissioner 33(2) Right to make representations to the Privacy Commissioner during an investigation 35(1) Receive Privacy Commissioner’s report of findings of the investigation and give

notice of action taken 35(4) Give complainant access to information after 35(1)(b) notice 36(3) Receive Privacy Commissioner’s report of findings of investigation of exempt bank 37(3) Receive report of Privacy Commissioner’s findings after compliance investigation 51(2)(b) Request that section 51 hearing be held in the National Capital Region 51(3) Request and be given right to make representations in section 51 hearings 72(1) Prepare annual report to Parliament

Privacy Regulations 9 Provide reasonable facilities to examine information 11(2) and (4) Procedures for correction or notation of information 13(1) Disclosure of information relating to physical or mental health to qualified practitioner

or psychologist 14 Require individual to examine information in presence of qualified practitioner or

psychologist



Appendix B – Statistical Report on the Privacy Act REPORT ON THE PRIVACY ACT

RAPPORT CONCERNANT LA LOI SUR LA PROTECTION DES RENSEIGNEMENTS PERSONNELS Institution Office of the Privacy Commissioner of Canada

Reporting period / Période visée par le rapport April 1, 2007 to March 31, 2008

I Requests under the Privacy Act / Demandes en vertu de la Loi sur la protection des renseignements personnels

IV Exclusions cited / Exclusions citées VII Translations /

Traductions

Received during reporting period / Reçues pendant la période visée par le rapport 45 S.

Art. 69(1)(a) Translations requested / Traductions demandées

Outstanding from previous period / En suspens depuis la période antérieure (b) Translations

prepared /

English to French / De l'anglais au français

TOTAL 45 S. Art. 70(1)(a) Traductions

préparées

French to English / Du français à l'anglais

Completed during reporting period / Traitées pendant la période visées par le rapport 45 (b)

Carried forward / Reportées (c) VIII Method of access /

Méthode de consultation

(d) Copies given / Copies de l'original 14

II Disposition of request completed / Disposition à l'égard des demandes traitées (e) Examination / Examen de l'original

1. All disclosed / Communication totale 4 (f) Copies and examination / Copies et

examen

2. Disclosed in part / Communication partielle 10

3. Nothing disclosed (excluded) / Aucune communication (exclusion) V Completion time /

Délai de traitement

4. Nothing disclosed (exempt) / Aucune communication (exemption) 2 30 days or under /

30 jours ou moins 45 IX Corrections and notation / Corrections et mention

5. Unable to process / Traitement impossible 6 31 to 60 days /

De 31 à 60 jours Corrections requested / Corrections demandées

6. Abandonned by applicant / Abandon de la demande 61 to 120 days /

De 61 à 120 jours Corrections made / Corrections effectuées

7. Transferred / Transmission 23 121 days or over /

121 jours ou plus

Notation attached / Mention annexée

TOTAL 45

III Exemptions invoked /

Exceptions invoquées VI Extentions /

Prorogations des délais X Costs /

Coûts

S. Art. 18(2)

30 days or under / 30 jours ou moins

31 days or over / 31 jours ou plus

Financial (all reasons) / Financiers (raisons)

S. Art. 19(1)(a)

Interference with operations / Interruption des opérations

Salary / Traitement $ 67,988.38

(b) Consultation Administration (O and M) /Administration (fonctionnement et maintien)

$ 38,503.51

(c) Translation / Traduction TOTAL $ 106,491.89

(d) TOTAL

S. Art. 20 Person year utilization (all reasons) /

Années-personnes utilisées (raisons)

S. Art. 21

Person year (decimal format) /Années-personnes (nombre décimal)

1.0167

S. / Art. 22(1)(a)

(b)

(c)

S. / Art. 22(2)

S. / Art. 23 (a)

(b)

S. / Art. 24

S. / Art. 25

S. / Art. 26 5

S. / Art. 27

S. / Art. 28

TBS/SCT 350-63 (Rev. 1999/03)

Governmentof Canada

Gouvernementdu Canada



Discrepancies

III – Exemptions invoked

Section 22.1 was invoked on 7 requests.

X – Costs

All operating and maintenance costs are borne by other OPC Branches i.e.: Human Resources (training), Information Technology (computers, printouts, etc), Corporate Services (supplies, mailing, etc).

Other

The OPC received and responded to 3 consultations from other government institutions.

Supplemental Reporting Requirements for 2007-2008 Privacy Act Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for the 2007-2008 reporting period.

Indicate the number of:

Preliminary Privacy Impact Assessments initiated: N/A

Preliminary Privacy Impact Assessments completed: N/A

Privacy Impact Assessments initiated: N/A

Privacy Impact Assessments completed: N/A

Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): N/A

If your institution did not undertake any of the activities noted above during the reporting period, this must be stated explicitly.

• The OPC did not undertake any of the activities noted above during the reporting period.